RHC Dark Lab : 17 September 2025 10:18
ShinyHunters is a group of threat actors that gained notoriety after the massive data breach against Salesforce, an incident that led Google to closely monitor them and assign them the code name UNC6240.
The Salesforce breach would allow attackers to gain easy access to a large number of companies in a wide range of industries. In recent days, many companies have shared official statements about the breaches they have suffered, but many others have not yet made any public statements.
The group recently gained notoriety after a massive data breach targeting Salesforce, an incident that prompted Google to closely monitor them and assign them the code name UNC6240.
The Salesforce breach allowed attackers to gain access to numerous companies across a wide range of industries, including Palo Alto, Zscaler, CloudFlare, and Tenable. In recent days, many companies have released official statements about the breaches they suffered, while others have yet to make public statements.
Many analysts believe that ShinyHunters is made up of individuals linked to the cybercriminal group “The Com”, an ecosystem of hackers mainly from North America and the United Kingdom. In recent months, ShinyHunters has intensified its activities, targeting numerous organizations. Each operation is promptly claimed on their official Telegram channel, where they also offer the opportunity to purchase the stolen data.
Among the most significant attacks publicly claimed are Jaguar Land Rover, a breach in which ShinyHunters took part and which reportedly caused significant production disruptions, and the breach of Kering’s fashion brands (which controls brands such as Gucci, Balenciaga, and Saint Laurent), whose company data was put up for sale by the group on its own channels.
ShinyHunters thus confirms its position as one of the main current threats in the cybercriminal landscape, capable of combining large-scale data breach techniques with a strong communication and monetization strategy.
RHC: ShinyHunters, thank you for agreeing to be a guest on RedHotCyber! Before we begin, we would like to give you the opportunity to introduce yourself to our readers. What is ShinyHunters and how did it come about? Could you also explain once and for all the difference between you, Scattered Spider, and LAPSUS? Are you a rebranding of an existing group, or have you been part of other groups like yours?
SH: What is ShinyHunters? ShinyHunters was born from an underground community with a simple goal: to show that systems that appear “solid” are actually fragile. We are not a rebranding of Scattered Spider or LAPSUS$, despite the media’s frequent comparisons. They have their own distinct characteristics. We emerged with our own identity, not an official spin-off of anyone. The difference? We focus more on high impact with less “theatrics,” while other groups tend to be more chaotic or opportunistic.
RHC: What is your main motivation? Financial gain, political/social demands, or a desire for fame?
SH: Our motivation? A combination. There’s the financial aspect—obviously, that’s a big part. But there’s also ego, the desire to prove ourselves, and the satisfaction of shaking up the industry. Fame comes naturally, but it’s not the sole goal.
RHC: Can you disclose the size of your group? Do you have a structured affiliate program to increase your group membership? Do you have any requirements for joining the team?
SH: This group is small but efficient. It’s not an army of thousands. We don’t have an open “affiliate program,” but we do have a reputation-based recruitment mechanism. The requirements aren’t just technical skills; mentality, confidentiality, and loyalty are far more important.
RHC: It would appear that you greatly favor attacks using social engineering. Do you consider this technique to be simpler and more effective for gaining initial access? Is this due to the victims’ lack of awareness and training?
SH: Yes, we rely heavily on social engineering. Why? Because technology can be patched, but humans? Weak from the start. Lack of awareness and training makes this the quickest route. There’s no need for a zero-day weapon when a single phone call can open the door.
RHC: Do you use exploits that you have developed yourself for your attacks? How do you plan potential improvements?
SH: We don’t always write exploits from scratch. The underground world is full of ideas, and we combine what’s available with our own creativity. Innovation isn’t just about new code, but about new ways of using something that’s considered commonplace.
RHC: On average, what level of security did you find in your victims? What would you recommend organizations do to avoid being targeted by groups like yours?
SH: Many large organizations have mediocre security. From the outside, they appear strong, but inside, they’re a mess. One recommendation: build a security culture, not just tools. Without it, all devices are just an illusion of protection.
RHC: How do you choose your targets? Are there any sectors or countries that interest you more than others? If so, why?
SH: We choose targets that promise high “value”—both financial and symbolic. The technology, healthcare, and aviation industries are all attractive because of their broad impact. Countries? It depends on the political context, but our focus is more global than national.
RHC: Are there any companies or categories of victims that you consider “off limits”? Do you set moral limits on your actions?
SH: There are. While it may sound ironic, we don’t indiscriminately attack hospitals or humanitarian organizations. There’s a fine line we don’t cross, even if it’s a vague one. We’re not “saviors,” but we’re not without a moral compass either.
RHC: You targeted aviation-related systems. What prompted you to attack such a critical and regulated sector? Can you explain what techniques you used to penetrate such a complex system, how much time it took you to achieve the result, and whether, from your point of view, the operation produced a return on investment (ROI) commensurate with the effort?
SH: Why aviation? Because of its criticality. Penetrating such a large system is a testament to skill. It takes time—it requires patience, observation, and multi-layered tactics. Is the ROI worth it? For us, yes. The impact is greater than just money.
RHC: When planning your campaigns, how do you decide which sectors to focus on? Also, how do you select the people to contact for your social engineering?
SH: We assess sectors based on vulnerability and potential domino effects. For social engineering, we select individuals with broad access but low awareness levels—support staff, contractors, partners. These individuals often provide entry points.
RHC: Can you give us some information about the tools you use? In addition to legal ones (e.g., AnyDesk), how do you approach the creation of your tools? Is there a type of tool that requires more attention than others? When creating your ransomware, did you take inspiration from other ransomware on the scene? Is everything created by you, or do you rely on external developers?
SH: We use a mix of legitimate tools (such as remote desktop) and our own. We build ransomware inspired by existing tools, but we modify them to suit our needs. Not all of us are coders; we sometimes collaborate with external parties.
RHC: Is there anything that governments, companies, or public opinion have misunderstood about your group and activities? On your Telegram channel, you have said several times that law enforcement agencies have arrested the wrong people. Furthermore, what motivates you to request the dismissal of operators/agents investigating you? Do you feel more pressure than in previous periods of your activity?
SH: There are many misunderstandings. The media and the government often wrongly accuse or arrest people on the fringes of society. Why do we mock the authorities? Because they are often more busy finding scapegoats than understanding how we operate. The pressure is mounting, but that’s part of the game.
RHC: The attack on Salesforce’s supply chain, through the Drift component, had an unprecedented global impact. What was the primary objective of the operation: espionage, immediate monetization, or a demonstration of technical strength?
SH: The goal was a combination: quick monetization while demonstrating strength. Espionage may have been a side effect, but the point was to demonstrate the fragility of global supply chains, even in a company as large as Salesforce.
RHC: In the case of the Salesforce supply chain compromise, the real vulnerability appears to have been the use of already valid OAuth credentials, rather than a technical exploit. Can you clarify whether these credentials were obtained through targeted campaigns (phishing, social engineering), purchased on the underground market, or by exploiting weak configurations or client/supplier errors?
SH: Yes, weaknesses aren’t always in the software, but in the configuration and people. Valid credentials can come from phishing, social engineering, or even the black market. The bottom line: the door is opened from the inside, not destroyed from the outside.
RHC: Initial findings show that most of the exfiltrated data concerns ticketing systems used by companies to manage internal support and requests. However, several sources claim that the real “gold mine” is the technical and confidential information contained in these tickets. Can you give us some more details about the most sensitive type of data you found and its real value compared to simple customer personal data?
SH: Customer data is important, but not the core. The real gold is in the internal ticketing system: technical documentation, infrastructure maps, confidential conversations. That’s more valuable than thousands of customer emails.
RHC: Recently, several members of your team have been arrested. You are under close scrutiny by various law enforcement agencies, and you are certainly being watched closely in the world of cybersecurity. Is this why you decided to publish your farewell post on breachforums.hn?
SH: Some members were indeed arrested. That’s a fact. Our farewell post on the forum? It could be read as a sign of resignation, or simply a new chapter. The underground world is always full of layers of meaning.
RHC: You also posted screenshots on your Telegram channel showing access to Google’s LERS and the FBI Panel. Don’t you think you’re exaggerating with your provocations? You are obviously aware of the consequences, yet you maintain a rigid and brazen stance. Why did you declare that you would cease your activities? Do you understand that, in the eyes of analysts, this appears to be an attempt at rebranding or a false exit?
SH: Was it a provocation? Yes. Were we aware of the risks? Absolutely. Why did it continue? Because it shows that no system is untouchable. The stop statement? Could be a trick, could be real. Let the public guess.
RHC: Your collective is made up of young people and teenagers. Your skills are undeniable and certainly above average compared to some professionals in the field. Despite this, we can assure you that opportunities for satisfaction and equally lucrative careers as an alternative to crime are feasible, especially for people who are able to devote their time to this field as you do. Why did you embrace crime? You created a reality that could have given you satisfaction and prestige among both younger and older people, but you decided to divert it to become a group of extortionists. Would you consider a sort of “redemption” on this front at the cost of severing ties with the criminal world? Do you really consider the criminal cost (as well as the damage to organizations) acceptable in order to continue your actions? What makes the criminal world so interesting in your eyes (aside from money)?
SH: Many of us are young. We know there are legal avenues that can lead to recognition. But crime offers challenges, freedom, and a shortcut to reputation. Is it worth it? Everyone’s answer is different. Redemption is possible, but it won’t come cheap.
RHC: ShinyHunters, thank you for your time and valuable answers. We would like to emphasize that not everyone who works in “lawful” security divides the world into good and bad, and just because you are labeled as “threats,” we understand that there are only nuances between these two extremes. We sincerely hope (if what you said in your farewell message is true) that you can reconcile your behavior and actions by considering not only to stop but to use your knowledge within a community that is healthy both for you and for security in general. We leave you this last space to say whatever you want in complete freedom.
SH: Don’t think of us as mere “threats” or “criminals.” We reflect an overlooked weakness. If you truly want us to stop, strengthen the system, educate people, and create attractive pathways for talented young people. Until that happens, groups like ours will continue to emerge.
We have two official channels, and we have tricked many people into believing that we only have one Telegram account. This is our goal, so that Telegram does not block our channel all at once.
Scattered Lapsus Hunters Official: https://t.me/+FInBlpGYJlA2NTQ9
Group: https://t.me/+COakigt517JlZDI1
Scattered Lapsus Hunters Part 2: https://t.me/+l7481fEs8Qo3NzZl
Scattered Lapsus Hunters Part 3: https://t.me/+YSzJ2twGKxI4NTdl
Scattered Lapsus Hunters Part 4: https://t.me/+Bs61zhw_lNFiMDg9
RHC Dark Lab